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File: USPT 



Sep 9, 2003 



DOCUMENT-IDENTIFIER: US 6618757 Bl 

TITLE: System and method for dynamic IP address management 



Abstract Text (1) : 

An architecture for dynamic IP address management is disclosed. The architecture 
includes a gateway (GW) coupled between a private IP network and a public IP 
network . A dynamic host configuration processor (DHCP) is operatively coupled to 
the GW. A network address translator (NAT) couples to the GW. Lastly, a processor, 
operatively coupled to the GW and the DHCP, is provided for dynamic all y assigning . 
to a_private IP network subscr ibe r equipment an ext ern al "Tp add^?es-s- and a 
corresponding IP address hold time as a function of an application to be performed. 
Assignment of the external IP address and a corresponding IP address hold time is 
in response to a) a request for accessing the public IP network by a subscriber 
equipment of the private IP network to perform the application, or b) a request for 
accessing the private IP network by an entity of the public IP network . The 
external IP address is selected from a prescribed number of external IP addresses 
available to the private IP network . 

Current US Original Classification (1) : 
709/226 
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(12) United States Patent (lo) Patent No.: US 6,697,864 Bl 

DeiDinjis et al. (45) Date of Patent: Feb. 24, 2004 



(54) LOGIN ARCHITECTURE FOR NETWORK 
ACCESS THROUGH A CABLE SYSTEM 

(75) Inventors: Ann Demlrtjls, Redmond, WA (US); 

Marii T. Jeffrey, Wokingham (GB) 

(73) Assignee: Microsoft Corporation, Redmond, WA 
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(57) ABSTRACT 

A login architecture for a computer to access an external 
network, such as the Internet, through a cable network 
provides session-based connection to the external computer 
network. The tiome computer is first assigned a restricted 
network address by the cable networlc. With the restricted 
network address, the user may access a "walled garden" of 
the cable networlc, but cannot access the external computer 
network. To access the external computer network, a 
session-based connection, such as a "tunnel" imder the 
Point-to-Point 'Rmneling Protocol, is formed between the 
home computer and a connection server of the cable 
network, and the user is authenticated over the session-based 
connection. A second network address usable for accessing 
the external network is then assigned to the home computer. 
The home computer sends network communication packets 
using the public iwtwoik address through the session-based 
connection to the connection provider, which forwards the 
communication packets to the external computer network. 
The login architecture may be implemented to provide 
connection to the extemal network on a per-user accoimt 
basis or on a home account basis. In the case whether the 
extemal network is the Internet, a selection of Internet 
servdce providers (ISPs) for Internet access through the cable 
network is provided by using multiple connection servers 
connected to different ISPs. 

23 Claims, 8 Drawing Sheets 
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□ 1. Document ID: US 6885871 B2 

L7: Entry 1 of 7 File: USPT Apr 26, 2005 



DOCUMENT-IDENTIFIER: US 6885871 B2 

TITLE: Method for the addressing of a mobile terminal 



Detailed Description Text (16) : 

The gateway 128 has a microprocessor 129, interface circuits 130 for interfacing 
with the GSM network 118, interface circuits 131 for interfacing with the Internet 
network 106, a program memory 132, a memory 151 to register a public Internet 
address of the gateway 128, a communications means allocation memory 133, and an 
access control memory 134. The elements 129 to 134 are connected through a bus 135. 



Detailed Description Text (33) : 

At the step 211, the gateway 128 also updates the table 134. Indeed, the means 
allocation request message comprises an identifier of the set 101. The gateway 128 
therefore inserts a line into the table 134, and the public Internet address field 
of the table 134 will then correspond to the public Internet address of the set 
101, and the field 134 will correspond to the port that has been allocated to set 
up a connection with the terminal 108. The gateway 128 is thus in a position to 
filter the messages addressed to the terminal 108 and thus avoid undesirable 
messages. All messages addressed to the gateway 128 by senders not registered in 
the table 134 are considered here to be undesirable. This is a standard firewall 
filtering technique. There are other techniques that are not described here. 

Detailed Description Text (34) : 

With these communications means having been allocated, when the terminal 108 sends 
out a message to the communications gateway, it is sent with the allocated private 
Internet address. The gateway 128 then retransmits this message to the public 
Internet. On this public Internet network, this message will be seen as having been 
sent from the public Internet address allocated by the gateway 128. This is an 
address translation mechanism. 



Detailed Description Text (35) : 

From the step 211, the operation passes to a step 212 for the transmission of the 
connection parameters allocated to the server 119. In this step 212, the gateway 
128 constitutes a message, for example by using the TCP protocol, whose body 
comprises the allocated public Internet address, possibly the allocated port or 
ports and a public identifier of the terminal 108 (namely its IMSI niomber or its 
telephone number) . The field identifying the sender of this message has the public 
Internet address which had been allocated as its value. This message is therefore 
actually sent by the terminal 108 to the server 119 through the Internet. 

Detailed Description Text (41) : 

In the step 213, the set 101 has just received the parameters allocated by the 
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gateway 128 for setting up a connection with the terminal 108. The set 101 
therefore possesses the public Internet address through which it can contact the 
set 108. The operation then goes to a step 214 for sending a frame by the set 101. 
In the step 211, the set 101 forms a frame according to the FTP. The destination 
address of this frame is a public Internet address which had been allocated by the 
gateway 128. The Internet network will route this frame up the gateway 128. In the 
step 215, the gateway 128 receives the frame in the FTP format sent out by the set 
101. 

Current US Cross Reference Classification (9) : 
709/238 

Current US Cross Reference Classification (10) : 
709/245 



Cftation ! F font 



□ 2. Document ID: US 6772210 Bl 

L7: Entry 2 of 7 



File: USPT 



Aug 3, 2004 



DOCUMENT-IDENTIFIER: US 6772210 Bl 

TITLE: Method and apparatus for exchanging communications between telephone number 
based devices in an internet protocol environment 

Brief Summary Text (10) : 

In a typical embodiment of the invention, the first network is a private network, 
and the second network is a public network. The first telephone nvimber based device 
has a private address for use in the private network. The gateway allocates a 
public address or public address/port number pair for the first telephone number 
based device for use in the public network, and performs address translation on IP 
communication messages exchanged between the first telephone number based device 
and the second telephone number based device such that the private address for the 
telephone number based device is used in the private network and the public address 
or public address/port number pair for the first telephone number based device is 
used in the public network. 



Detailed Description Text (12) : 

In any case, upon receiving a request for a (public) network address for the called 
VoIP device, the gateway 106 creates the appropriate mapping of a private address 
to a public address or public address/port number, and returns the (public) network 
address or address/port number pair for the called VoIP device. Specifically, 
whether the VoIP connection is initiated by the public VoIP device 102 or the 
private VoIP device 110, the gateway 106 dynamically allocates a public address for 
the private VoIP device 110, for example, from a pool (list) of available public 
addresses . If the gateway 106 permits multiple private addresses to be mapped to a 
single public address, then the gateway 106 may also select a port number (socket) 
for the private VoIP device 110. The gateway 106 maps the private address of the 
private VoIP device 110 to the public address or public address/port number pair, 
for example, in an address mapping database. The gateway 106 returns the ( public ) 
network address for the called VoIP device, which is either the dynamically 
allocated public address or public address/port number pair, if the public VoIP 
device 102 is the calling VoIP device, or the public address of the public VoIP 
device 102, if the private VoIP device 110 is the calling VoIP device. 
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Detailed Description Text (15) : 

Upon receiving the request 212 from the gatekeeper 112, the gateway 106 dynamically 
allocates a public address or public address/port number pair for the private VoIP 
device 110 and creates the appropriate mapping between the private address for the 
private VoIP device 110 and the corresponding public address or public address/port 
number pair. The gateway 106 also determines the called VoIP device, and determines 
the ( public ) network address or address/port number pair for the called VoIP 
device, which is either the dynamically allocated public address or public 
address/port number pair, if the public VoIP device 102 is the calling VoIP device, 
or the public address of the public VoIP device 102, if the private VoIP device 110 
is the calling VoIP device. The gateway 106 then sends a response 213 to the 
gatekeeper 112 including the (public) network address or address/port niunber pair 
for the called VoIP device. 



Detailed Description Text (20) : 

Upon receiving the request 223 from the calling VoIP device (102, 110), the gateway 
106 dynamicall y allocates a public address or public address/port number pair for 
the private VoIP device 110 and creates the appropriate mapping between the private 
address for the private VoIP device 110 and the corresponding public address or 
public address/port number pair. The gateway 106 also determines the called VoIP 
device, and determines the ( public ) network address or address/port number pair for 
the called VoIP device, which is either the dynamically allocated public address or 
public address/port number pair, if the public VoIP device 102 is the calling VoIP 
device, or the public address of the public VoIP device 102, if the private VoIP 
device 110 is the calling VoIP device. The gateway 106 then sends a response 224 to 
the calling VoIP device (102, 110) including the (public) network address or 
address/port number pair for the called VoIP device. 

Detailed Description Text (30) : 

When the gateway 106 receives a request for a ( public ) network address for a called 
VoIP device as part of the VoIP connection establishment procedure, the translator 
706 dynamicall y allocates a public address for the private VoIP device 110 from the 
address pool 704. If the translator 706 permits multiple private addresses to be 
mapped to a single public address, then the translator 706 may also select a port 
number (socket) for the private VoIP device 110. The translator 706 installs an 
address translation entry in the address mapping database 708 that maps the private 
address of the private VoIP device 110 to the public address or public address/port 
number pair. The translator 706 returns the (public) network address for the called 
VoIP device, which is either the dynamically allocated public address or public 
address/port number pair, if the public VoIP device 102 is the calling VoIP device, 
or the public address of the public VoIP device 102, if the private VoIP device 110 
is the calling VoIP device. 



Current US Original Classification (1) : 
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□ 3. Document ID: US 6697864 Bl 
L7: Entry 3 of 7 File: USPT Feb 24, 2004 

DOCUMENT-IDENTIFIER: US 6697864 Bl 

TITLE: Login architecture for network access through a cable system 



Detailed Description Text (25) : 

An embodiment that operates in the home account mode is illustrated in FIG. 6. In 
this embodiment, only one account is required for all the users in the home LAN. 
This account is set on the gateway machine 136, and the account's login information 
(e.g., the user name and password) applies to the gateway computer and represents 
all the users in the home. The gateway computer 136 is assigned a restricted IP 
address by the DHCP server 86 in the cable network. When a user 7 6 in the home 
wants to access the Internet 72, the gateway computer 136 auto-dials a PPTP tunnel 
160 from the gateway computer to the PPTP server 136 in the RDC 90. The login 
information, such as the user name and password stored on the gateway computer, is 
then used for authentication. After the gateway computer 136 is authenticated, a 
public IP address is allocated to the gateway computer. All the users and the 
computers in the home LAN 138 can then access the Internet through the PPTP tunnel 
160 established between the gateway computer 136 and the connection server 110 of 
the RDC 90. The source IP address of any traffic sent by a computer in the home LAN 
through the tunnel is translated by the gateway computer to the public IP address 
and the traffic is sent through the PPTP tunnel to the connection server. The 
protocol stack for this home-account mode is illustrated in FIG. 7. 

Current US Original Classification (1): 
709/229 

Current US Cross Reference Classification (1) : 
709/217 



□ 4. Document ID: US 6684242 Bl 

L7: Entry 4 of 7 File: USPT Jan 27, 2004 



DOCUMENT-IDENTIFIER: US 6684242 Bl 
TITLE: Customer self-help toolkit 



Detailed Description Text (16) : 

The first task of a user 102 wishing to access through the self service gateway 100 
is to login. Login can take on one of three forms, public, private, and new users. 
In FIG. 3, each login starts by examining the Internet Protocol (IP) address 
supplied by the user when accessing the self service gateway 100, as shown by 
decision block 300. If the IP address is in the range of IP addresses allocated to 
the MSO, then the user 102 is on one of the MSO's private networks. If the IP 
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address of the user 102 is not within the range allocated to the MSG, then user 102 
is accessing the self service gateway 100 through a public network not controlled 
by the MSG. For private network users, the customer interface program 112, or 
employee interface program 142 (hereafter referred to as a user interface program) 
obtains the user's mediiun access control address from the provisioning system, as 
shown in block 302. This information will be used later in the function. Web server 
program 114 provides the user 102 with an existing/new user selection HTML page, as 
shown in block 304. The user's declaration as a new or existing user is acted upon, 
as shown in decision block 306. Existing private network users and public network 
users are provided a login HTML page, as shown in block 308. New users are provided 
with a self-service activation HTML page, as shown in block 310. 

Current US Original Classification (1) : 
709/222 



□ 5. DocumentID: US6631416B2 

L7: Entry 5 of 7 



File: USPT 



Oct 7, 2003 



DOCUMENT-IDENTIFIER: US 6631416 B2 

** See Image for Certificate of Correction ** 

TITLE: Methods and systems for enabling a tunnel between two computers on a network 
Detailed Description Text (250) : 

The controller module 614 may then authenticate the control path request 10940 by 
verifying the MD5 signature and send a control path acknowledgement 10962 to the 
gateway 650. The control path acknowledgement 10962 may include: the virtual IP 
address of the controller module 614; the shared secret of the gateway 650; the 
public key for the network operations center 610; version information of the 
program code currently assigned to the gateway 650; and a new signature using a new 
nonce . 
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□ 6. DocumentID: US 6618757 Bl 

L7: Entry 6 of 7 



File: USPT 
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DOCUMENT-IDENTIFIER: US 6618757 Bl 

TITLE: System and method for dynamic IP address management 



Detailed Description Text (2) : 

According to the present embodiments, a prescribed system unit of the private 
network, for example, the gateway (GW) or the dynamic host configuration processor 
(DHCP) , manages the assignment of public IP addresses external to a private 
network. 

Current US Original Classification (1) : 
709/226 

Current US Cross Reference Classification (2) : 
709/227 

Current US Cross Reference Classification (3) : 
709/229 



Fuil i 


i Titie 


i CitJiion 





□ 7. Document ID: US 6016318 A 

L7: Entry 7 of 7 



File: USPT 



Jan 18, 2000 



DOCUMENT- IDENTIFIER: US 6016318 A 

TITLE: Virtual private network system over public mobile data network and virtual 
LAN 



Current US Cross Reference Classification (3) 
709/249 



CLAIMS : 



4. The system as set forth in claim 1, wherein, when a call received from said 
internet is addressed using an IP address to said mobile data terminal, said router 
notifies all devices currently communicatively connected to said virtual LAN of 
said call, so that said mobile data terminal is capable of answering said call 
based on said notification if said mobile data terminal is currently 
communicatively coupled to said virtual LAN, and 

wherein, when said mobile data terminal is not currently communicatively connected 
to said virtual LAN, but is currently communicatively connected to said one of said 
mobile data subscriber processing units of said public mobile data network, said 
virtual private network gateway receives said notification and determines, based on 
current location information stored in said memory of said virtual private gateway 
network and based on information included with said notification, that said call is 
to be routed to said public mobile data network where said mobile data terminal is 
currently located, and said virtual private gateway network converts said IP 
address of said call to said network address that has been assigned to said one of 
said mobile data subscriber processing units that is currently communicatively 
connected to said mobile data terminal. 
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[57] 



ABSTRACT 



A system and method for regulating access to a proxy cache 
server residing on an institutional intranet or local network 
provides a directory for storing user names that are 
appended to client requests for remote web site information. 
The proxy cache server reads the appended requests and 
either accqits or denies access to the requested information 
based upon predetermined access control guidelines relative 
to the specific user name. The access control guidelines can 
be stored on the directory, and down-loaded to the proxy 
cache server's memory as needed. The proxy cache server 
stores and retrieves requested site information via the 
Internet, but only retrieves and delivers requested site infor- 
mation to clients if authorization is approved. 

17 Claims, 3 Drawing Sheets 
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□ 1. Document ID: US 5991810 A 

L8: Entry 1 of 2 



File: USPT 



Nov 23, 1999 



DOCUMENT-IDENTIFIER: US 5991810 A 
TITLE: User name authentication for gateway clients accfessing a proxy cache server 




Detailed Description Text (2) : 

FIG. 1 illustrates an architecture-level block diagram of a network having a proxy 
cache server according to this invention. The network 20 includes a plurality of 
gateway clients shown generally by the exemplary gateway client block 22. Each 
gateway client can comprise a stand-alone microcomputer having a Central Processing 
Unit ( CPU ) 24 a memory 2 6 and a network adapter 28 for communication, all linked by 
a bus 30. Each gateway client is linked with its own user interface 32 that allows 
data to be viewed and instructions to be transmitted. The user interface typically 
includes a keyboard, monitor and a screen-cursor manipulator, such as a mouse. The 
gateway client is linked to a local network or intranet 34. In this embodiment, it 
is contemplated that communication with the intranet is accomplished by 
transmitting and receiving data packets having header addresses provided in the IPX 
protocol available from Novell, Inc. of Provo, Utah. IP protocol can also be 
utilized. The intranet 34 is also linked with a Novell Directory Services (NDS) 
server 36, also commercially available from Novell, Inc. This server includes its 
own CPU 38, memory 40 and network adapter 42 linked by a bus 44. An associated data 
storage device such as a disk 46 is also linked to the server 36. 
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CLAIMS : 

3. The computer system of claim 1, further comprising an interface mechanism, the 
interface mechanism comprising a gateway mechanism for handling at least one 
variable, the gateway mechanism residing in the memory and being executed by the at 
least one CPU, the gateway mechanism comprising a universal common gateway 
interface for communicating between the plurality of web browsers and the software 
application without reguiring reprogramming for the software application. 

5. The computer system of claim 1, further comprising: 

a security mechanism, the security mechanism residing in the memory and being 
executed by the at least one CPU, the security mechanism coupled to and providing 
an interface between the software application and the plurality of web browsers, 
the security mechanism receiving user input from the plurality of web browsers, the 
security mechanism retrieving authentication parameters for the software 
application corresponding to the received input; 

an interface mechanism, the interface mechanism comprising a gateway mechanism for 
handling at least one variable, the gateway mechanism residing in the memory and 
being executed by the at least one CPU, the gateway mechanis m comprising a 
universal common gateway interface for communicating between the plurality of web 
browsers and the software application without reguiring reprogramming for the 
software application; and 

a disconnect mechanism, the disconnect mechanism residing in the memory and being 
executed by the at least one CPU, the disconnect mechanism storing state data and a 
conversation identifier relating to each conversation between one of the plurality 
of web browsers and a software application process when the software application 
process is suspended such that the data can be retrieved when the software 
application process is resumed. 
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